From a7185d6c94019bc3e7615c588646fd5be9d6a91c Mon Sep 17 00:00:00 2001
From: Dorian Niemiec <dorian.niemiec@svrjs.org>
Date: Sat, 2 Sep 2023 09:01:25 +0200
Subject: [PATCH] Disable server-side script exposure by default.

---
 config.json | 4 ++--
 index.html  | 2 +-
 svr.js      | 4 ++--
 views.txt   | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/config.json b/config.json
index 7bb3448..6014584 100644
--- a/config.json
+++ b/config.json
@@ -3,7 +3,7 @@
   "port": 80,
   "pubport": 80,
   "page404": "404.html",
-  "timestamp": 1693523365373,
+  "timestamp": 1693637517717,
   "blacklist": [],
   "nonStandardCodes": [],
   "enableCompression": true,
@@ -16,7 +16,7 @@
   "stackHidden": false,
   "enableRemoteLogBrowsing": true,
   "exposeServerVersion": true,
-  "disableServerSideScriptExpose": false,
+  "disableServerSideScriptExpose": true,
   "rewriteMap": [
     {
       "definingRegex": "/\\/invoke500\\/\\?/",
diff --git a/index.html b/index.html
index f65c727..6569ead 100644
--- a/index.html
+++ b/index.html
@@ -42,7 +42,7 @@
         &nbsp;&nbsp;"stackHidden": false,<br/>
         &nbsp;&nbsp;"enableRemoteLogBrowsing": true,<br/>
         &nbsp;&nbsp;"exposeServerVersion": true,<br/>
-        &nbsp;&nbsp;"disableServerSideScriptExpose": false,<br/>
+        &nbsp;&nbsp;"disableServerSideScriptExpose": true,<br/>
         &nbsp;&nbsp;"rewriteMap": [<br/>
         &nbsp;&nbsp;&nbsp;&nbsp;{<br/>
         &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;"definingRegex": "/\\/invoke500\\/\\?/",<br/>
diff --git a/svr.js b/svr.js
index 8098d42..0c2d718 100644
--- a/svr.js
+++ b/svr.js
@@ -4643,7 +4643,7 @@ if (!cluster.isPrimary) {
           callServerError(403);
           serverconsole.errmessage("Access to SVR.JS script is denied.");
           return;
-        } else if ((isForbiddenPath(decodedHref, "svrjs") || isForbiddenPath(decodedHref, "serverSideScripts") || isIndexOfForbiddenPath(decodedHref, "serverSideScriptDirectories")) && !isProxy && (configJSON.disableServerSideScriptExpose && configJSON.disableServerSideScriptExpose != undefined)) {
+        } else if ((isForbiddenPath(decodedHref, "svrjs") || isForbiddenPath(decodedHref, "serverSideScripts") || isIndexOfForbiddenPath(decodedHref, "serverSideScriptDirectories")) && !isProxy && (configJSON.disableServerSideScriptExpose || configJSON.disableServerSideScriptExpose === undefined)) {
           callServerError(403);
           serverconsole.errmessage("Access to sources is denied.");
           return;
@@ -5789,7 +5789,7 @@ function saveConfig() {
       if (configJSONobj.stackHidden === undefined) configJSONobj.stackHidden = false;
       if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = true;
       if (configJSONobj.exposeServerVersion === undefined) configJSONobj.exposeServerVersion = true;
-      if (configJSONobj.disableServerSideScriptExpose === undefined) configJSONobj.disableServerSideScriptExpose = false;
+      if (configJSONobj.disableServerSideScriptExpose === undefined) configJSONobj.disableServerSideScriptExpose = true;
       if (configJSONobj.allowStatus === undefined) configJSONobj.allowStatus = true;
       if (configJSONobj.rewriteMap === undefined) configJSONobj.rewriteMap = [];
       if (configJSONobj.dontCompress === undefined) configJSONobj.dontCompress = [];
diff --git a/views.txt b/views.txt
index dc7b54a..597975b 100644
--- a/views.txt
+++ b/views.txt
@@ -1 +1 @@
-33
\ No newline at end of file
+35
\ No newline at end of file